Identity as a BioHazard

While doodling some generic security concepts, I noticed a familiar pattern: The flows, with some imagination, looked a lot like a biohazard symbol. The drawing was a stark reminder that, to paraphrase Bruce Schneier, security involves people. My knee-jerk reaction was to mutter: Of course, identity is yesteryear's new security boundary. Yet, there it stared, nagging me: BioHazard. And, I started to wonder: Are we looking at this all wrong?

Identity Health

Our cyber security infrastructures can resemble boundary onions and a never-ending series of checkpoints, not too dissimilar from TSA lines; Or, modern approaches promising simpler and faster experiences akin to the TSA equivalent of a Disney FastPass+ (I.E.: TSA PreCheck, or Clear). One day, our experience will be really fast when Lasik gets involved to read and etch data into our corneas. Meanwhile, little is provided to stop emotionally compromised or infectious individuals from sharing their distress in an enclosed space. And, in the realm of cyber security, our boundaries and checkpoints aren't designed to inhibit those same compromising individuals except by pattern and behavior recognition (and, by infectious, I don't mean malware, but the minds that would compose such).

Cyber security sometimes is likened to physical security, authentication to checkpoints and forms of credentials. Meanwhile, computer systems are treated as the targets of malware infection, and users to social engineering. At the root (there's my bad pun for this discussion) the wrong individuals obtain the wrong access to the wrong resources at the wrong times for the wrong reasons, or the opposite of Identity and Access Management. For the rest of the world, that's the opposite of ethics. Good IAM, by that description, is good ethics. And, in practice, Good IAM starts to look like a never ending TSA line, with or without your FastPass+. Sometimes we are inclined to draw real world relationships to digital concepts; If we reverse the comparison and personify our digital identities and behaviors into our corporeal being, how healthy are we?

In addition to ethics, what if Identity and Access Management considered identity health? Beyond social media health, risk, and leakage, identity health could include overall well-being. Alternately, my digital identity is an identity being. My first inclination on making this comparison is to think:

We're all running around unvaccinated! We are a digital biohazard!

Identity Disease

Who is this diseased and digital being?

I am a jumble of attributes, vaguely humanish, that has been broadcast, shared, printed, blogged and vlogged and logged, tweeted, emailed, hashed, and breached all over the place. Wherever I go the trip my identity data takes is about as orderly as a trip to the land-fill: I pass through one or more checkpoints, maybe pay an entry fee, and offer up the attribute crud I decided to pack that day, along with more attribute crud that this particular land-fill decides it needs. The attributes get dumped in and shoveled around into big stinking mounds of proprietary data stores, shuttled and shipped and trucked and trained all over the world where it's sifted and sorted and burned and scavenged. And then I go home, feeling a tiny bit better about myself because I paid to unload some of my attribute trash, well, copies of which anyway, and, elsewhere, someone is making a mountain of money off observing me and picking through the stinky pile for a clue that I've been ignoring or blocking every single online ad coming my way since 1995 and, except by accident, have never intentionally clicked on a single one, much less bought anything because of it. Sure, sure, the impression is what counts, right?

The point is: It seems like I lost control of my attributes in this process, but I really lost control the second I stepped into the Internet and, separately, when other people decided to publish my attributes without my permission. I might never have a digital presence at all, but thanks to breaches affecting organizations like EquiFax or the United States Office of Personnel Management, my more sensitive bits are lingering around in that seedy back alley known as Onionland.

For all the original promises of the Internet providing a semblance of anonymity, and safe expression and borderless communion, the reality is (or should be) settling in that our digital and physical beings are inextricably tied. Some take comfort with VPNs or in Onionland, but even if they aren't keeping logs or are exploited, one visit from a regionally authorized goon squad is all it takes to record or compromise the veneer of privacy. This isn't to say that many companies don't take every precaution to protect your data and your privacy. Most do. Today. What about tomorrow? Or the day after that? Your identity data lurks in their repositories, a steaming pile of digital sludge. All it takes is a match and poof.

For the sake of argument, let's assume that people can be sorta-but-not-really anonymous on the Internet, and their data is kinda-sorta-private, at least until it's leaked. Whether you know it or not, you or somebody you probably don't know have hung your data out there for other people to see. It may not be visible yet, but it's there.

Identity Vaccination and Authorization

I'm a person. At least I like to think I am. I came from somewhere. I have attributes that define me. Those attributes and their values were instilled by my parents, taught in schools and churches, cloistered in college, drilled in by the military, drummed during employment, mocked and metered from friends and peers, and influenced by strangers or random events. Sometimes, some of those attributes are compromised by one of those sources. Sometimes, they are removed, and not by choice. And, ideally, those attributes are reviewed by different types of professionals who have studied those attributes and understand the complexities of how those attributes interact with the rest of the world. My cholesterol attribute is too high. Some people impose their attributes on others and that's called a crime, and they are prevented from attribute imposition for a while. Others do the same pursuant to some generally agreed upon reason, such as in enforcement of legal code. Others do the first but avoid preventative measure because they have the ability to compromise the second. But at the end of the day, I have a certain amount of freedom regarding my attributes and their values, and how those attributes are used in my day to day life.

What I don't have, and most of us don't have, are myriad copies of ourselves with varying attribute compositions. Granted, there are fake ids, and if Hollywood is to believed, a few choice scripts will generate up a whole fictitious dossier complete with a credit card and a humdrum existence in suburbia. We have different moods, different wardrobes, different dispositions, but they are all the same set of attributes, just with different values and preferences applied in different circumstances. Generally, when everyone is being civil and healthy around each other, we manage to get by. Not everyone or everywhere, sadly, but mostly.  And, if someone with a raging and highly contagious case of the bubonic plague gets in line behind you, hey, that's all copacetic, right, because, I don't know, freedom? And, it's perfectly okay to walk around your neighborhood and pick your neighbor's flower attributes off their porch because they're just laying out there for everyone to see and grab anyway, right? No, you would tell Mr. Black Death to get the heck away from you and probably call security, who would probably call the CDC, and quarantine that person. Or your neighbors might break out the pitch forks, march right over to your house, and rip their wilted and poorly-planted pluckings from your sticky fingers, and afterwards keep you at arm's length.

So what is missing in relating digital identities with our physical selves?

The ability to individually release and retract our attributes ourselves, the ability of those around us to react to those released attributes, and the ability of those who operate our digital highways and gates to exercise quality control, or, depending on the severity, a lot of quality control, on those attribute values.

Since everyone's information is already out there anyway, and privacy momentarily aside, what's missing is the ability to authorize access to and use of those attributes. Don't want to loan out that email attribute anymore? Take it back (or the authorization to use it). If you do loan it out, should it be trusted? How do I know that email is genuine? Privacy need not be compromised, but has that attribute been vaccinated? No? Go get treatment (validation, verification, and certification) and try again. As a service provider, should you trust an unvaccinated attribute? Would you?

It seems to me data breaches would have a lot less impact if service providers were required to validate attribute authorization prior to using those attributes. Certain industries such as payment processing have, to a lesser extent, a semblance of this capability. But what if it was more widely applied? What good is a social security number to anyone if it isn't paired with a cryptographically signed grant saying that I the attribute owner authorize you to use this number? If banks and credit issuers were required to to do so, would identity theft have the same impact?

 I can only ever be in one place at any given time (geolocation), drive one car (device) at any given time (yes, yes, everyone has a pocketful of phones and a network of smart lightbulbs nowadays), and I can identify myself by a combination of factors that usually include spot verification (biometric) of issued identification (driver's license, passport, etc), and, later, forge my parent's signature, I mean, sign my name, on the bar tab. And I can take those things to a predetermined location, such as the DMV, or the TSA line, or the bouncer outside the mosh pit that serves organic tea (geolocation 2). There are a number of ways to combine these different factors into likely verification of identity, and none of them involve people asking for a passphrase like I'm slipping into a speakeasy, or taking off my pants and submitting to a body cavity search of my attributes. Once I perform the context- and location-sensitive authentication of my being, and, possibly, some additional verification depending on what's happening, I'm still in complete control of my attributes and their values. Then, later, when I leave, I take my attributes with me, and if I happen to have forgotten one or two, I tend to return on short notice to retrieve them. Or, I simply deauthorize the misplaced item. All that's left is an audit trail that I, a being of some kind, had access to a resource at a particular time and, if appropriate, for a specific reason. Once I leave, so do my attributes.

Privacy need not die in this process, and it shouldn't. The whole world doesn't need to know, and third parties shouldn't be able to buy access to what type of skin care treatments or toothpaste I choose to buy. If they want it, they can request authorization to that audit trail. I'll deny them, of course.

Why, then, digitally, do we rely on creating copies of everything? Answering with a solution such as blockchain-this, or cloud-that, or federate-you doesn't explain the reason the data is persisted to begin with. An essential tenet that should be enforceable: People have to be able to exercise tight control over their attributes, and other people shouldn't hold onto those attributes any longer than is needed. I can verify myself with a social security number, or a drivers license number, or a passport number, because I authorize release of that information. At what point does having the actual value serve a purpose if not so authorized? Isn't the value really in verifying who I am, and authorizing use of an attribute value for a limited time?

This is fundamentally Identity and Access Management applied to identity data itself.

Physical Networks Enable Social Networks

Worst case scenario: Someone cold-cocks you in the parking lot and steals your wallet or purse, your car keys, your laptop bag, the key card to your employer. It's modern times, so they go all Susan Cooper (fine: James Bond, so much for being semi-contemporary) take a special picture of your face before it swells up, grab fingerprints while you're incapacitated, take retina scans of your eyes. Then, they whip out a can of Samuel L. Jackson, go a bit medieval, and you wake up with fewer identifying traits, and are impacted from proving who you are.

Wouldn't it be nice if you had a real friend or acquaintance or co-worker? Or three? People who could vouch in person for you now, but who, maybe previously, vouched in person for you earlier, that you are who you say you are? If that were the case, besides the unfortunate physical damage of this graphic example, what are the real consequences? Once you are identified (living, incapacitated, or otherwise), healing your digital identity becomes a matter of redacting authorization. If all service providers were enforcing validation, then they would have an easy audit trail to unwind any untoward digital activity, or detect fraudulent activity on the part of the person.

Physical identification require a physical presence and, usually, some other form of identification. While issuing that identification what if a cryptographic key was created, stored with the issuer, and enabled you to grant authorization to the identification attributes? Apply the same logic to telephone numbers, email addresses, credit card numbers, and so on?

Worst case scenario, if my social security number is used to open a bank account - well, it couldn't be, not easily, because I didn't authorize it. But this is Susan Cooper (fine: Jason Bourne) we're talking about, so she hacked my key store, and took control of my digital identity. Okay. I walk into the office of the identification issuer used to conduct the fraudulent activity, provide proof and/or witness of my real identity, reissue authorization keys, retroactively outstanding grants for that number from the time of the event, and Presto! Authorization denied down the chain to anything ever done with that number from a given period (and all the repercussions that come with, but hey, it's a start).

Summary

I think we need to reevaluate why we persist certain pieces of data with respect to our expectations of how that data is stewarded, and our ongoing ability to authorize use of that data. It all starts with our collective agreement that our digital identities are inherently unhealthy, maybe need to be vaccinated, and should be revocable.